Thank for you suggestion. So in option 1 do I need to configure post logout url which goes to OpenIddictApplications tables PostLogoutRedirectUris column? And do you talking about this where I need to configure redirect uri?https://github.com/abpframework/abp/blob/8.3.4/modules/account/src/Volo.Abp.Account.Web/Pages/Account/Logout.cshtml.cs So instead of setting my appplication logged-out path to post redirect logout uri I set auth servers /Account/Logout to same redirect path?
So we need to take auth code to our repo. We have tried to avoid that to ease versio upgrades. But maybe we this is only temporal solution and after we update to 9 there is already that fix and we can remove our custom code. What is minimum amount of code/module we need to take and override? Do we need to override only login and registration pages and is it possible to only override them and not take whole auth server code base?
So is this going to be fixed when? And is change coming only to 9 version or also to 8 version? And how big security risk do you think this is? Because for my perspective it is quite big.
Yes but still user can select first his own tenant where he/she has permission to login. Then after that login user change to other tenant and goes to wrong tenant where he was not authorized.
If user change tenant to other before login then he cannot even login to third party auth provider and there is no problem.
Yep that is what it should that user can change before login but after user has logged in third party(Microsoft) user should to be able to change tenant. Are you going to change this when? Because this is quite big security risk.
May I add that I get those errors only when running proejct locally with ng serve. When I publish my project to server there is no errors in console.
But if you change tenant before login it uses that users external login settings where user has no permissions. But in my descripted scenario user selects own tenant where he/she hasn't yet registered and login using that tenants external login settings. After external login where user has been verified by its own tenant settings user can change to other tenant and register himself to that tenant without any verification that user has rights to that tenant. Other tenant names can be guess quite easily because in our company we have many reference customers in our website where user can find company names.
Or is there possibility to always forget selected tenant?
We don't yet have those login and register codes loaded and would like it that way. So is there any configuration possibility. Like postLogoutUrl or something? There is two level of post log out urls for example, there is configuration at angular side and then there is same kind of settings with Azure EntraId. Currently I don't set postlogout url but what it should be or is there any difference?
Now I managed to get update done to application and at least application is working as it should so far. Now after I select tenant it redirects to azure login page where I have already logged in so it goes immediatelly back to register page(as it does earlier) where user can change user name. Now I can click register and it goes to application as it should. But now I have some small problem. How can I logout? After I click log-out it goes to auth server page and remembers tenant and goes directly to azure login page and then back to application. So after log-out it comes back as logged in. This is propably some setting/configuration problem but can you advice me how this could be resolved?
